Time-triggered communication system and method for the synchronization of a dual-channel network

ABSTRACT

A time-triggered communication system in a dual-channel network of singlechannel architecture, wherein in each case one communication controller ( 2, 6 ) is assigned to one channel, and two corresponding communication controllers ( 2, 6 ) communicate with one another via an inter-channel interface ( 1   a,    1   b ). Said inter-channel communication contains information about limiting points (G 1,  G 2  . . . G 12 ) of a time path. A limiting point (G 1,  G 2  . . . G 12 ) is, for example, the point in time when a cycle starts. The interchange of limiting points enables the temporal offset of the two channels to be determined as well as a correction value. After every two cycles also the rate error of the local clocks can be ascertained and a suitable correction value determined. The reliability of safety-relevant networks is increased by the time-triggered communication system described hereinabove.

The invention relates to networks or communication systems comprising two channels and at least two nodes. The invention relates in particular to time-triggered communication systems.

Conventional architectures, where a single communication controller (CC) controls two channels are error-prone to the extent that a single error in this communication controller or complete failure thereof leads to faulty communication or deactivates the bus communication to both channels. Without additional error-reducing measures, a single faulty communication controller would be capable of precluding the communication on both channels by faulty transmission (so-termed Babbling Idiot).

In safety-relevant applications, data is transmitted in the dual-channel method to make sure, by means of redundancy, that the data sent twice arrives at least once at the recipient and is correctly processed there. As mentioned hereinabove, a single communication controller, which accesses two channels, cannot reach this degree of reliability as it might be subject to complete failure.

In a safety-relevant dual-channel network the same data is transferred on both channels and is checked for agreement by the host, consequently it is of decisive importance that the data communication should be synchronous. In this connection, the term “synchronous” is to be taken to mean that the data transmission on both channels is exactly simultaneous or time-shifted within a time window. As the communication controller falls back on the same clock generator for the data bus of each channel, the conformity in time is achieved.

A communication controller essentially comprises a controller-host interface, a protocol engine and a clock generator.

A typical fault-tolerant, time-triggered network consists of two channels to which communications nodes are connected. Each of these nodes consists of bus drivers, a communication controller, a host and finally, if necessary, a bus guardian device.

The bus driver transmits the bits and bytes, which are provided by the communication controller, to the connected channel, and provides the communication controller, in the proper order, with the information it receives on the channel. In a fault-tolerant network, the communication controller is connected with both channels, supplies relevant data to the host and receives data from the host, which it assembles, in the proper order, into frames and supplies to the bus driver.

Time-triggering or time control means that the time is sliced into periodic cycles. Each of these cycles consists of a plurality of segments. Each network node determines the start of a new cycle according to its own built-in clock generator. At least one segment is divided into a fixed number of slots. Each slot is allotted to exactly one communication controller, and only that communication controller has the right to transmit. Other segments of a cycle can be used for dynamic configuration or other purposes.

In a configuration set, the slots and the associated communication controllers are specified. An optional bus guardian with an independent set of configuration data enables the transmission on the bus only during these slots.

The host contains the data source and the data sink and generally does not take part in the activities of the bus protocol.

The communication system is started by a single node, the so-termed cold start node. This node is selected either by configuration or, if a plurality of nodes are available as cold start nodes, by the application of an algorithm, at the end of which a node remains. The communication controller of the selected cold start node must listen to both channels and transmit simultaneously all data for the cold start to both channels. Within a communication controller, only a single control logic for carrying out the cold start is available for both channels.

Each node listens to both channels. If a node receives a specific frame, which indicates the start of the communication, then it will take over the time schedule of the transmission observed and integrate it into its own system. Consequently, the two channels are substantially synchronous at the start of the network.

A distributed synchronization of the clocks, where the nodes are tuned to one another, is required because each node itself deduces the start of a cycle and hence the temporal order of all segments and time slots. Each node has its own, local clock in order to make sure that the communication system does not depend on a single master clock whose failure would collapse the entire network. The difference between the own local clock and the local clocks of other participating nodes of the network, which are all synchronization nodes, is used to correct the own local clock in a fault-tolerant manner.

The local clocks can be corrected in two ways, i.e. correction of the time shift and correction of the clock rate. The clock rate correction also tries to equalize the various clock rates in the system, i.e. it tries to bring the clock rates closer together. The time shift is customarily reduced by correcting the local clocks at the end of a cycle or, if it is additionally necessary to reduce the clock rate error, at the end of a two-cycle time period since two measurement values are necessary to calculate the clock rate deviation.

In the system which is not controlled by a master, the nodes themselves remain synchronized with respect to each other by a distributed, error-free algorithm.

The system described here for starting a communication system corresponds, for example, to “TTP/C Specification”, Version 0.5, Edition 0.1, 21 Jul. 1999, TT Tech Computertechnik AG; http://www.ttech.com; or to the “FlexRay Requirements Specification”, Version 2.0.2, April 2002, FlexRay, Consortium; www.flexray.com.

It is an object of the invention to provide a time-triggered dual-channel network of the type described in the opening paragraph, which has been developed further in respect of fault-tolerance. A further object of the invention is to provide a method for the synchronization of a time-triggered dual-channel network of the type described above.

This object is achieved in accordance with the invention by a time-triggered communication system comprising at least two channels (A, B) and at least a first and a second node, wherein

a first communication controller is assigned to the first channel and a second communication controller is assigned to the second channel,

the first and the second communication controller each have a local clock, said two local clocks being physically separated,

an interface for the inter-channel communication is arranged between the first communication controller and the second communication controller.

The expression “physically separated” means that although the two local clocks may be pulsed by one and the same oscillator, they may still deviate from each other due to asynchronous start-up or delays at the intrachannel communication.

The single-channel architecture described herein means that each of the two channels is driven, at one or more nodes of the communication system, by a communication controller assigned to it. If two communication controllers operate in parallel, i.e. in each case one communication controller is assigned to one of two channels, on which redundant information is transmitted which is compared by recipients, it is essential that the data are transmitted so as to be in temporal conformity. It cannot be ensured, however, that the two clock generators of the two communication controllers are synchronous since the distributed, fault-free, synchronization algorithm can only maintain the synchronism of the communication controllers of one channel as it does not have information about the other channel. This is the reason why there is an interface for the inter-channel communication between the two communication controllers. Inter-channel communication means, in this case, that information regarding the two channels is exchanged between the first and the second communication controller. The first and the second communication controller jointly form a node.

The invention describes how two channels being substantially balanced in temporal conformity channels can be “pulled closer together” to the effect that the temporal offset is reduced, i.e. the channels are synchronized. Using the measures described hereinabove, exact synchronism of the two channels cannot be achieved because the data exchange via the interface for the inter-channel communication causes a delay, however small. In this connection, the term “synchronous” means: in temporal conformity.

The inter-channel communication consists of an information exchange regarding specific limiting points of the respective time path of the first and the second communication controller. Said specific limiting points are preferably the time points at the beginning of a cycle on the associated channel.

In accordance with a preferred embodiment the first and the second communication controller comprise means for receiving and for processing information regarding said limiting points. Said means include, for example, a controller, a memory (RAM) and an energy supply.

In accordance with an embodiment of the invention both communication controllers are arranged on a common chip, and the interface is also integrated on this chip. This gives the advantage that only one housing must be mounted and electrically contacted.

In accordance with yet another embodiment both communication controllers are each arranged on a chip of their own and the interface is externally arranged. As a result, the fault domain “common chip” is omitted. In the case of, for example, an overvoltage fault possibly one of the two chips remains undamaged. As a result, the network would be functioning on one channel.

The object of the invention is also solved by a method of synchronizing a dual-channel network which includes two channels and at least one node, comprising the steps of

transmitting a first limiting point to the first communication controller via an inter-channel interface at the beginning of a cycle on the second channel,

receiving the first limiting point,

transmitting a second limiting point to the second communication controller at the beginning of a cycle on the first channel,

determining a first temporal difference between the first limiting point and the second limiting point, and

generating a first and a second correction value in dependence on the first temporal difference for each of the two local clocks of the first and the second channel.

The method described herein corrects the temporal offset between the local clocks.

By virtue of the fact that two communication controllers are available, the fault protection is increased. They communicate via a common interface, so that an information exchange regarding the current time path or the local clock time takes place.

The temporal difference is determined, for example, by subtracting the first limiting value from the second limiting value. A correction value for the temporal offset between the two local clocks is preferably formed by a function f(x), where x=(Delta i)/2. By virtue of this function f it is achieved that the temporal difference enters only proportionally in the correction value, so that individual deviations (which may or may not be caused by errors) in extreme cases only have a small effect on the synchronization of the communication controller inside a channel.

The synchronization method is continued in the direction of a loop starting at the next cycle (cycle i+1) with a third limiting value of the channel B and a fourth limiting value of the channel A.

The object is achieved in accordance with the invention by a method as claimed in claim 9 which, besides the temporal drift between the local clocks, also takes account of any errors of the respective clock rates. Compensation of the clock rate errors can take place only after completion of two cycles, since two measurements, ideally spaced one cycle apart, are required to measure the rate.

In an embodiment of the invention, the correction value for the temporal offset between the two local clocks is formed by a function f(x), where x=(Delta i)/2 and/or the correction value for the clock rate error is formed by a function g(y), where y=((Delta i+1)−(Delta i))/(2*cycle length).

Two examples, which are non-limitative, are shown for the function f(x) and are transferable to g(y):

a) f(x)=x for abs(x)<c, f(x)=x-sgn(x)c for abs(x)>=c, where c=constant

b) f(x)=sgn(x)*min(abs(x),c), where c=constant.

The function f(x) is intended to limit the influence of the inter-channel synchronization, i.e. between the two channels, such that the intra-channel synchronization, i.e. on one channel, remains intact, which means that the distributed algorithm is only disturbed, not destroyed. By virtue of the functions f and g it is achieved that the temporal difference enters only proportionally in the correction value, so that individual deviations (which may or may not be caused by errors) in an extreme case have only a small effect on the synchronization of the communication controller within a channel.

Next, a description is given of examples for the formation of the correction value, which do not limit the scope of the invention:

1) Division of the temporal difference by a constant factor, for example 2, in accordance with a so-termed dead-beat control.

2) Division of the temporal difference by a constant factor and, in addition, limitation of the maximum absolute value of the correction value by another constant, for example 1 or 2, corresponding to a so-termed threshold application.

3) Division of the temporal difference by a constant factor and subsequent subtraction of an amount, which depends on the absolute amount of the difference. For example, if the result of the division of the difference by the constant factor of 2 exceeds 4, then the value 4 is subtracted therefrom and the result of the subtraction is applied, corresponding to a so-termed dampening application.

4) Combination of individual examples or a plurality of said examples to generate the correction value.

The inter-channel difference is reduced by applying the correction values generated as described above, if said inter-channel difference is greater than the intra-channel accuracy.

By applying said mechanisms, the maximum difference between any of the single-channel communication controllers in the system is limited by a specific value which depends on the function for generating the correction value.

The mechanism described herein may also be used for the synchronization of a communication controller and the associated bus guardian. In that case, the bus guardian must be supplied with a comparatively high frequency.

In a variant, the transit time delay via the interface for the transmission of a limiting value is known or estimated, and compensated by adaptation of the correction values.

A node is formed by two equivalent, corresponding communication controllers, therefore it lies within the scope of the invention that the sequence is reversed, and the method starts with the first channel.

The dual-channel network with inter-channel communication in accordance with the invention is preferably used as a communication system in a motor vehicle control, where it is used to control safety-relevant processes.

These and other aspects of the invention are apparent from and will be elucidated with reference to the embodiment(s) described hereinafter.

In the drawings:

FIG. 1 shows an example of a single-channel architecture with external interface,

FIG. 2 shows an example of a single-channel architecture with an interface integrated on the chip,

FIG. 3 is a time diagram of a first variant of an inter-channel synchronization, and

FIG. 4 shows a time diagram of a second variant of an inter-channel synchronization.

FIG. 1 shows an example of a single-channel architecture with an external interface 1 a. The first communication controller 2 comprises at least one protocol engine 3 and an interface 4 between the communication controller 2 and a host 5. The first communication controller 2 sends and receives on channel A of a dual-channel network, that is not shown in further detail.

The second communication controller 6 comprises at least one protocol engine 7 and an interface 8 between the communication controller 6 and a host 5. The second communication controller 6 sends and receives on channel B of a dual-channel network, that is not shown in further detail.

The first and the second communication controller 2, 6 are each arranged on a separate first and second chip 9, 10, respectively. Local inter-channel communication takes place via the external interface 1 a. The example shown in FIG. 1 presents a complete doubling in comparison with a customary communication controller of dual-channel architecture. This example has the advantage that in the event of failure of one chip, it is very probable that the other chip is undamaged and hence at least one of the two communication controllers operates correctly.

FIG. 2 shows an example of a single-channel architecture, where an interface 1 b is integrated on the chip. The first communication controller 2 comprises at least one protocol engine 3 and an interface 4 between the communication controller 2 and a host 5. The first communication controller 2 sends and receives on channel A of a dual-channel network, that is not shown in more detail.

The second communication controller 6 comprises at least one protocol engine 7 and an interface 8 between the communication controller 6 and a host 5. Said second communication controller 6 sends and receives on channel B of a dual-channel network, that is not shown in greater detail.

The first and the second communication controller 2, 6 are both arranged on a common chip 11. Local inter-channel communication takes place via the interface 1 b integrated on this chip 11. The example shown in FIG. 2 presents a reduced duplication in comparison with a customary communication controller of dual-channel architecture. This example has the advantage that it requires only one housing to be mounted.

FIG. 3 shows a time diagram of a first variant of an inter-channel synchronization. The upper time path relates to the communication controller 2 for the first channel A, the lower time path relates to the communication controller 6 for the second channel B. In this example, it is the second channel B that starts the communication process, i.e. the cycle starts earlier than that of the first channel A. A cycle is bounded by the limiting points G1 and G3 or G2 and G4, with the rear limiting points representing at the same time the start of the next cycle (cycle+1). The temporal offset Delta i is formed by the difference between the limiting points G2 and G1. Subsequently, a correction value is generated for each channel by a function f(x), where x=(Delta i)/2. After completion of a cycle and after the correction values have been applied, the specified limiting points G3 and G4 have come closer to each other. This is shown by dotted lines representing theoretical limiting points G3′ and G4′. The actual limiting points G3 and G4 demonstrate increased conformity with each other; in this case (Delta i+1)<(Delta i).

This variant is preferably used for clocks driven by a high-precision quartz having an error of 10 to 50 ppm.

FIG. 4 shows a time diagram of a second variant of an inter-channel synchronization. In this variant, the correction values are not applied until after two cycles since in order to determine the clock rate error, also the length of the cycle must be determined. The temporal offset Delta i is formed, also in this case, by the difference between the limiting points G2 and G1. Subsequently, a correction value is generated for each channel by a function f(x), where x=(Delta i)/2. At the start of the second cycle (cycle+1) the next limiting points G7 and G8 are interchanged. The correction value for the clock rate error is formed by a function g(y), where y=((Delta i+1)−(Delta i))/(2*length of cycle).

This embodiment is preferably employed in communication systems with a low data rate, long cycles or poor quartzes.

In summary, the invention relates to a time-triggered communication system in a dual-channel network of single-channel architecture, wherein in each case one communication controller (2, 6) is assigned to one channel, and two corresponding communication controllers (2, 6) communicate with one another via an inter-channel interface (1 a, 1 b). Said inter-channel communication contains information about limiting points (G1, G2 . . . G12) of a time path. A limiting point (G1, G2 . . . G12) is, for example, the point in time when a cycle starts. The interchange of limiting points enables the temporal offset of the two channels to be determined as well as a correction value. After every two cycles also the rate error of the local clocks can be ascertained and a suitable correction value determined. The reliability of safety-relevant networks is increased by the time-triggered communication system described hereinabove. 

1. A time-triggered communication system comprising at least two channels (A, B) and at least a first and a second node, characterized in that a first communication controller (2) is assigned to the first channel (A) and a second communication controller (6) is assigned to the second channel (B), the first and the second communication controller (2, 6) each have a local clock, said two local clocks being physically separated, an interface (1 a, 1 b) for the inter-channel communication is arranged between the first communication controller (2) and the second communication controller (6).
 2. A time-triggered communication system as claimed in claim 1, characterized in that the inter-channel communication consists of an information exchange regarding specific limiting points (G1, G2 . . . G12) of the respective time path (CC-channel A, CC-channel B) of the first (2) and the second (6) communication controller.
 3. A time-triggered communication system as claimed in claim 2, characterized in that the first and the second communication controller (2, 6) comprise means for receiving and for processing information regarding said specific limiting points (G1, G2 . . . G12).
 4. A time-triggered communication system as claimed in claim 1, characterized in that both communication controllers (2, 6) are arranged on a common chip (11), and the interface (1 b) is also integrated on this chip (11).
 5. A time-triggered communication system as claimed in claim 1, characterized in that both communication controllers (2, 6) are each arranged on a chip (9, 10) of their own and the interface (1 a) is externally arranged.
 6. A method of synchronizing a dual-channel network which comprises two channels (A, B) and at least one node, characterized by the steps of transmitting a first limiting point (G1) to the first communication control (2) via an inter-channel interface (1 a, 1 b) at the beginning of a cycle (cycle i) on the second channel (B), receiving the first limiting point (G1), transmitting a second limiting point (G2) to the second communication controller (6) at the beginning of a cycle (cycle i) on the first channel (A), determining a first temporal difference (Delta i) between the first limiting point (G1) and the second limiting point (G2), and generating a first and a second correction value in dependence on the first temporal difference (Delta i) for each of the two local clocks of the first and the second channel (A, B).
 7. A method as claimed in claim 6, characterized in that a correction value for the temporal offset between the two local clocks is formed by a function f(x), where x=(Delta i)/2.
 8. A method as claimed in claim 6, characterized in that the synchronization method is continued in the direction of a loop starting at the next cycle (cycle i+1) with a third limiting value (G3) and a fourth limiting value (G4).
 9. A method of synchronizing a dual-channel network comprising two channels (A, B) and at least one node, characterized by the steps of transmitting a first limiting point (G5) to the first communication controller (2) via an inter-channel interface (1 a, 1 b) at the start of a cycle (cycle i) on the second channel (B), receiving the first limiting point (G5), transmitting a second limiting point (G6) to the second communication controller (6) at the start of a cycle (cycle i) on the first channel (A), determining a first temporal difference (Delta i) between the first limiting point (G5) and the second limiting point (G6), transmitting a third limiting point (G7) to the first communication controller (2) via an inter-channel interface (1 a, 1 b) at the start of the next cycle (cycle i+1) on the second channel (B), receiving the third limiting point (G7), transmitting a fourth limiting point (G8) to the second communication controller (6) at the start of the next cycle (cycle i+1) on the first channel (A), determining a second temporal difference (Delta i+1) between the third limiting point (G7) and the fourth limiting point (G8), and generating a first to a fourth correction value in dependence on the first temporal difference (Delta i) and/or in dependence on the second temporal difference (Delta i+1) for each of the two local clocks of the first and the second channel (A, B).
 10. A method as claimed in claim 9, characterized in that a correction value for the temporal offset between the two local clocks is formed by a function f(x), where x=(Delta i)/2 and/or a correction value for the clock rate error is formed by a function g(y), where y=((Delta i+1)−(Delta i))/(2*cycle length).
 11. A method as claimed in claim 6, characterized in that the transit time delay for the transmission of a limiting value is known or estimated, and compensated by adaptation of the correction value.
 12. The use of a dual-channel network with inter-channel communication as a communication system in a motor vehicle control device.
 13. A device for a time-triggered communication system which comprises two channels (A, B) which each have a node, wherein the device has access to both nodes, characterized in that the device comprises a first communication controller (2) with a local clock which is assigned to the first channel (A); a second communication controller (6) with a local clock which is assigned to the second channel (B), and an interface (1 a, 1 b) for the inter-channel communication, which interface is arranged between the first communication controller (2) and the second communication controller (6), and both local clocks are physically separated.
 14. A device as claimed in claim 13, characterized in that both communication controllers (2, 6) are arranged on a common chip (11) and the interface (1 b) is also integrated on this chip (11).
 15. A device as claimed in claim 13, characterized in that both communication controllers (2, 6) are each arranged on a chip (9, 10) of their own and the interface (1 a) is arranged external to the two chips (9, 10).
 16. A device for the synchronization of a dual-channel network which comprises two channels (A, B) and at least one node, characterized in that the device comprises: means for transmitting a limiting point (G1, G2, . . . G8); means for receiving a limiting point (G1, G2, . . . G8); means for determining a temporal difference (Delta i) between two limiting points (G1, G2, . . . G8), and means for generating at least one correction value for each of the two local clocks of the two channels (A, B) in dependence on the determined temporal difference (Delta i).
 17. A motor vehicle control comprising a device as claimed in claim
 13. 18. A program which is run by a processor and which contains instructions for the implementation of a method of carrying out a synchronous cold start in a time-triggered communication system, as claimed in claim
 7. 